VYPR

Opencms

by Alkacon

Source repositories

CVEs (30)

  • CVE-2018-8811HigMar 20, 2018
    risk 0.60cvss 8.8epss 0.02

    Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. Note: It is argued that OpenCMS allows…

  • CVE-2026-38429CriMay 5, 2026
    risk 0.57cvss 9.8epss 0.00

    OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

  • CVE-2018-8815MedMar 20, 2018
    risk 0.33cvss 4.6epss 0.01

    Cross-site scripting (XSS) vulnerability in the gallery function in Alkacon OpenCMS 10.5.3 allows remote attackers to inject arbitrary web script or HTML via a malicious SVG image.

  • CVE-2023-6380Dec 13, 2023
    risk 0.03cvss epss 0.02

    Open redirect vulnerability has been found in the Open CMS product affecting versions 14 and 15 of the 'Mercury' template. An attacker could create a specially crafted URL and send it to a specific user to redirect them to a malicious site and compromise them. Exploitation of…

  • CVE-2026-2736Feb 19, 2026
    risk 0.00cvss epss 0.00

    Reflected Cross-site Scripting (XSS) in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to…

  • CVE-2026-2735Feb 19, 2026
    risk 0.00cvss epss 0.00

    Stored Cross-Site Scripting (XSS) in Alkacon's OpenCms v18.0, which occurs when user input is not properly validated when sending a POST request to ‘/blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt’ using the ‘text’ parameter.

  • CVE-2024-41446Apr 21, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the image parameter under the Create/Modify article function.

  • CVE-2024-42699Apr 21, 2025
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in Create/Modify article function in Alkacon OpenCMS 17.0 allows remote attacker to inject javascript payload via image title sub-field in the image field

  • CVE-2024-41447Apr 18, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the author parameter under the Create/Modify article function.

  • CVE-2025-3317Apr 6, 2025
    risk 0.00cvss epss 0.00

    A vulnerability classified as problematic has been found in fumiao opencms up to a0fafa5cff58719e9b27c2a2eec204cc165ce14f. Affected is an unknown function of the file opencms-dev/src/main/webapp/view/admin/document/dataPage.jsp. The manipulation of the argument path leads to…

  • CVE-2025-0708Jan 24, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was found in fumiao opencms 2.2. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/model/addOrUpdate of the component Add Model Management Page. The manipulation of the argument 模板前缀 leads to cross site…

  • CVE-2024-5521May 30, 2024
    risk 0.00cvss epss 0.00

    Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code.…

  • CVE-2024-5520May 30, 2024
    risk 0.00cvss epss 0.00

    Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in…

  • CVE-2023-37602Jul 20, 2023
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.

  • CVE-2023-31544May 16, 2023
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in alkacon-OpenCMS v11.0.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field under the Upload Image module.

  • CVE-2021-25968Oct 19, 2021
    risk 0.00cvss epss 0.01

    In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when they open the page containing the…

  • CVE-2015-2351Mar 19, 2015
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms 9.5.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) homelink parameter to system/modules/org.opencms.workplace.help/jsptemplates/help_head.jsp, (2) workplaceresource…

  • CVE-2013-4600Aug 9, 2013
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms before 8.5.2 allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to system/workplace/views/admin/admin-main.jsp or the (2) requestedResource parameter to…

  • CVE-2008-1753Apr 11, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in system/workplace/admin/workplace/sessions.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the searchfilter parameter, a different vector than CVE-2008-1510.

  • CVE-2008-1510Mar 25, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in system/workplace/admin/accounts/users_list.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the (1) searchfilter or (2) listSearchFilter parameter.

Page 1 of 2